Check Enrollment Status on Your Managed Chromebooks; Another Ransomware Incidents Points Out Costs of Manual Workarounds; Vulnerabilities Found in Electric Vehicle Charger Protocols

If you're reliant on your managed mode for your Chromebook fleet, you're going to need to monitor to make sure they remain enrolled until Google's patch can be deployed. Effectively, you boot from external media, run the code which both unenrolls the device and puts it in developer mode. If you're researching this behavior, make sure that you're using a valid shim, as some will brick the Chromebook. If you're creating a device that supports developer and managed modes, create two accounts before enrolling: first in developer mode, the second enrolled.

This exploit requires direct access to the ChromeBook. While that may be appealing for users of enrolled and managed ChromeBooks, it is likely a violation of enterprise IT security policies and violators would be held accountable. Physical access to devices (laptops, desktops, etc.) open up a number of potential new attack vectors that can be used by an adversary.

Not a lot of information out on this one – the important part is always *why* and *how* the attack succeeded. In the financial world, being forced to use slower manual trading/reconciliation processes can carry huge costs to customers and the financial organization hit swamps recovery costs.

The LockBit ransomware group is taking credit for this attack, threatening to leak data on Feb 4 unless the ransom demand is paid. Financial institutions using their services currently have to process trading and clearing of exchange-traded derivatives manually. The question is how long manual processing will be viable. When reviewing DR plans, this is something to contemplate and at least plan for a point where you need to move to a new automated system before the business impact is unacceptable.

This ransomware attack, while specific to financial trading systems, is a good reminder for every enterprise to revisit their SLA with third party software vendors. Reliance on third party vendors for products and services should be part of a company’s risk assessment; and mitigations such as switching to staff intensive processes regularly tested to counter impacts to business operations.

Electric Vehicle chargers are more than high power electric outlets. The cable connecting the car to the charger includes data lines to regulate charging and provide metering as well as payment information. It is more like a "very large USB-C" charger in how it combines data and power delivery. This provides an avenue to either attack the charger or the car. In addition, wireless networking may be used as well to interface with mobile devices for payment.

In 2021 USD 7.5B was allocated over five years to build out EV charging stations and last September the Biden administration launched a grant program to build charging networks along 75,000 miles of interstate highways. That means the focus is going to be on deployment before the money runs out rather than cyber security. While many states are working to require cyber security components as part of approving grants for EV charging stations, this still leaves existing or legacy installations possibly exempted. If providers don't resolve issues, expect a regulatory body, like NERC, to step in and require it. Regardless, if you're in the EV charging business, you want to make sure that you've got cyber security covered, before your hand is forced.

This announcement isn’t unexpected as the EV infrastructure continues to build out. Researchers in academia, private sector, and hacking circles will start fully testing the underlying protocols and vulnerabilities will be found. Unfortunately, speed to market often trumps adequate security testing of new technology. We’ve witnessed a similar parallel with vehicle automation. What’s important is that the industry move quickly to close this and other vulnerabilities, as they will be targeted by cybercriminals.

It is clear that the FBI Cyber Crimes Unit has adapted its tactics, techniques, and procedures to better support victims of cybercrime. In this instance, while successful, other cybercriminal gangs will learn from this change in tactics to increase their vetting procedures. As always, more work needs to be done to make enterprises more resilient against ransomware attacks.

The FBI is facing a balancing act. While their work gets them access to tools, like decryptors, that victims desperately need, releasing those tools can also compromise their investigation. The trend with the Hive takedown indicates they are actively working to release things sooner. My takeaway is to make sure that you've got a relationship with your local FBI office so you know who to call if you have an incident and need to leverage their resources.

The Healthcare Sector was frequently targeted for ransomware attacks in 2022 and that trend is continuing into 2023. Organizations that make up this critical infrastructure sector can’t say they haven’t been warned that a ransomware attack is coming for you. I urge all organizations to use the recently published ‘Blueprint for Ransomware Defense’ as an action plan for ransomware mitigation, response, and recovery to protect against future attacks.

As the event is still under active investigation, Atlantic General is holding their cards close until they have definitive answers. In the meantime, they are operating under a combination of manual procedures and reduced capacity to minimize the overall impact on patients. While working to increase security, which the medical profession is doing, it's important to look beyond your top identified mitigations to make sure that you've not left unaddressed attack paths, e.g, MFA on the workstations, but leave accessible (unprotected) network jacks in the conference rooms.

Hospitals really need to isolate patient-facing applications from those, like e-mail and browsing, that are connected to the public networks.

If only new org charts and strategic plans could solve supply chain security issues. More info to buyer organizations is pretty low on the need list to improve supply chain security – more pressure on the suppliers is needed. In 2018 the Federal Acquisition Security Council (FASC) was created by the 2018 Federal Acquisition Supply Chain Security Act. In 2021, FASC issued rulemaking establishing authority to issue removal and exclusion orders if suppliers were found to be negligent. US procurement policy moved pretty quickly to remove/exclude Chinese suppliers of technology, but I can’t find any case of any actual action taken against the numerous suppliers that have had cybersecurity incidents. The US government needs to use its buying power to drive progress.

Beyond training for a consistent approach, having resources to share existing research would be helpful. Those databases would need to include context, and the hardest part, remain unclassified.

One might hope that holding suppliers accountable for shipping malicious code would be an obvious place to start. At some point we must address the software quality problem. We may be spending as much or more trying to eliminate vulnerabilities in software which the suppliers wrote themselves as we are eliminating malicious code that they shipped but did not write.